5 Things We Know about the German Hack, from Porn to Mirrors

Today’s revelation of a huge data breach in Germany that exposed the details of nearly 1,000 politicians, including Chancellor Angela Merkel, as well as that of celebrities and journalists, has resulted in a swirl of speculation about the methods and culprits.

Here’s what we know thus far about the German data leaks.

1: Lots of Mirrors

1: The leak was made with strenuous effort to ensure that the leaked documents can’t easily be taken down. There there over 70 mirrors of the initial download link alone, while each of the 40 download links has another 3-5 mirrors each.

Each of the tens of thousands of files uploaded appears to have its own or indeed multiple mirrors; something that would have taken a huge amount of manpower.

This data leak has so much data squirrelled away to avoid take downs. It must have required many man hours of uploading.

Security researcher “The Grugq” speculated a large team may have been involved: “I’d say that the leak files were not produced at the same time. The changes in layout and naming suggest that it wasn’t one person in one marathon session creating these. There is variation in the archive passwords too: 123, abbreviations, variations…”

2: It’s Not All New …

Some of the stolen data sets data back to 2009 and some of the image files linked to in Pastebin were uploaded in 2017. The cache was released one batch at a time from December 1 to December 24 but only got noticed when the culprits hacked the social network of popular German Youtuber unge and spread the documents there.

Many are new however: a sample reviewed by Computer Business Review included recent ministerial-level letters to colleagues; others we saw included private letters dating back to 2013. They have been painstakingly organised.

The data looks initially to largely be from private cloud storage and social media accounts than a particular official server.

The leaks show extensive data about some politicians, including photos and chat logs, but little on others bar private addresses, phone numbers, skype and mail addresses as well as semi-public information (eg. names of relatives); much apparently painstakingly compiled. Outlook accounts, Twitter and Facebook accounts were all hacked.

(Germany’s intelligence services say they only found out on Jan 3 2019.)

3: It’s Bad and About to Get Worse…

German magazine reporter Julian Ropcke, of the BILD, reported that German MPs have begun to receive threatening messages saying their pornography choices were also stolen and they should “come clean” about their sexual preferences…

He added that perusal of “3 percent” of the data had already revealed “cases of corruption and bad political scandals”. 4chan users were already revelling in some of the scandals today, from sexual proclivities to Wikipedia edits by politicians.

First German MPs receive Twitter messages, asking them to admit their real sexual preferences.The hackers obtained pornographic material of them …#BTleaks

4: Two Twitter Accounts Used

Two Twitter accounts @_0rbit and @_0rbiter were used to distribute the material.

@_0rbit was created in February 2015 and had over 18k followers and had previously made 2.7k Tweets but deleted them all in June 2017, researcher Luca Hammer noted.

The account owner said they were in Hamburg, but the culprits now claim to be based in Luxembourg… Their likes suggest right-wing sympathies.

– Tweets, replies, faves and followers let me assume the account had a gaming / youtube / right wing background.– Nobody cared about the initial release of the dumps in December 2018. The dumps were released one at a time from 1. to 24. december. /3

5: Someone Got Left Out…

The leak includes data on 405 CDU-CSU politicians, 294 SPD politicians, 105 Greens, at least 82 Left party members and 28 FDP MPs, with nearly 1,000 local, national and European level lawmakers exposed. Notably absent: right wing AfD members.

Caitlin Huey, senior threat intelligence analyst at EclecticIQ told Computer Business Review in an emailed statement: “The evidence suggests that an organisation with far-right leaning may have the strongest motivation for the leak. It could also be speculated that this was a response to the explosive that was detonated in front of one of the AfD offices yesterday. However, there is nothing conclusive at this time, and even obvious evidence can sometimes point towards a false-flag campaign.”